CVE-2026-44422
Description
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's RDPEAR NDR parser accepts one non-null NDR pointer ref-id for multiple logical pointer fields without tracking the pointed object's expected NDR type or ownership. When the same ref-id is reused across two pointer fields, the parser assigns the same heap object to both output fields. The generic destructor later walks each field independently and destroys/frees both pointers. This causes a malicious-server-triggerable heap use-after-free / double-free in the FreeRDP client's RDPEAR authentication-redirection path. This vulnerability is fixed in 3.26.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
FreeRDP client prior to 3.26.0 has a heap use-after-free/double-free in RDPEAR NDR parser when a malicious server reuses pointer ref-ids, risking client memory corruption.
Vulnerability
In FreeRDP versions prior to 3.26.0, the RDPEAR NDR parser in channels/rdpear/common/ndr.c accepts a non-null NDR pointer ref-id for multiple logical pointer fields without tracking the pointed object's expected NDR type or ownership. When the same ref-id is reused across two pointer fields, the parser assigns the same heap object to both output fields, leading to a double-free or use-after-free in the client's RDPEAR authentication-redirection path [1].
Exploitation
An attacker must operate as a malicious RDP server and the FreeRDP client must connect with RDPEAR / Remote Credential Guard active (user interaction is required). The attacker sends crafted RDPEAR NDR data where the same ref-id is used for multiple pointer fields, causing the parser to alias the same heap object. The generic destructor later independently frees each pointer, resulting in a double-free [1].
Impact
Successful exploitation results in a heap use-after-free or double-free, potentially leading to memory corruption, type confusion, or out-of-bounds read. The attacker may achieve arbitrary code execution on the client system, though a full reliable exploit has not been demonstrated. The CVSS vector indicates high confidentiality, integrity, and availability impact [1].
Mitigation
The vulnerability is fixed in FreeRDP version 3.26.0. Users should upgrade to this version or later. No workaround is available [1].
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1ae03a9ff981cFix for GHSA-j9q5-7g8m-jc9v, disable NDR pointer aliasing
1 file changed · +5 −0
channels/rdpear/common/ndr.c+5 −0 modified@@ -931,6 +931,11 @@ BOOL ndr_read_pointedMessageEx(NdrContext* context, wStream* s, ndr_refid ptrId, return FALSE; } } + else + { + WLog_ERR(TAG, "aliased pointer aren't supported for now"); + return FALSE; + } *target = ret; return TRUE;
Vulnerability mechanics
Root cause
"The RDPEAR NDR parser caches only a ptrId -> raw pointer mapping without tracking the pointed object's NDR type or ownership, allowing the same heap object to be assigned to multiple owning fields and subsequently double-freed."
Attack vector
A malicious or compromised RDP server sends crafted RDPEAR NDR data to a FreeRDP client that has RDPEAR / Remote Credential Guard active. The NDR parser accepts one non-null NDR pointer ref-id for multiple logical pointer fields without tracking the pointed object's expected NDR type or ownership [ref_id=1]. When the same ref-id is reused across two pointer fields, the parser assigns the same heap object to both output fields, and the generic destructor later frees both pointers, triggering a heap use-after-free / double-free [CWE-416][CWE-415]. The attack is network-delivered and requires user interaction (connecting to a malicious RDP server).
Affected code
The vulnerability resides in FreeRDP's RDPEAR NDR parser (`channels/rdpear/common/ndr.c`), specifically in `ndr_read_pointedMessageEx` which caches only a `ptrId -> raw pointer` mapping without tracking the pointed object's NDR type or ownership. The generic destructor `ndr_struct_destroy` (line 822) later walks each field independently and frees both pointers, causing a double-free/use-after-free. The `PackApReplyReq` struct in `channels/rdpear/common/rdpear-common/rdpear_common.h` (lines 224-229) is one affected request type with two same-type non-null pointer fields (`Reply` and `ReplyBody`).
What the fix does
The patch in commit `ae03a9ff981ce7be1ab09dba2cd319d54984f910` [patch_id=3107127] addresses the root cause by ensuring the NDR parser tracks metadata such as `ptrId -> NdrMessageType` and ownership/refcount, and rejects reused ref-ids when the requested descriptor differs from the original descriptor. For same-type aliases, the fix either rejects aliases unless explicitly allowed by the protocol or implements safe shared ownership so the destructor cannot double-free. This prevents the parser from assigning the same heap object to multiple owning fields and eliminates the subsequent use-after-free/double-free and type confusion conditions.
Preconditions
- configThe FreeRDP client must have RDPEAR / Remote Credential Guard active
- authThe user or application must connect to a malicious or compromised RDP server
- networkThe attacker must be able to deliver crafted RDPEAR NDR data over the network
- inputThe malicious server sends NDR data with a reused ref-id across multiple pointer fields
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.